Open markgamache opened 1 week ago
I think this is a very good idea. NIST 800-63b does not allow SMS MFA alone for class AAL-2 apps (sensitive data)
Agreed
Yeah, if a company offers a choice of 2FA via SMTP or SMS, I personally am always going to pick SMTP. Gmail and other email providers provide strong multi-factor authentication, whereas SMS has pretty much 0 protection. That plus if the site using SMS to offer 2FA is breached, the bad guys now also have your cell # which is much worse (even without SIM swapping concerns).
What is missing or needs to be updated? The sections on SMS has some pros and cons that are OK, but they don't quantify the risk well. SMS is better than nothing, as the article points out, but actually if you are trusting it to be real MFA, it might be detrimental. That is, some put too much faith in it. I think the language should suggest it is NOT appropriate for situations involving loss of money or real privacy, like banking and healthcare.
How should this be resolved?
If it is agreed upon, I will create a PR pointing out that SIM swaps and other SMS attacks are common and that SMS is discouraged as a factor as described above.